[Bug 502761] [NEW] Security Updates needed for kde4libs and kdebase-runtime in jaunty-backports
Scott Kitterman
ubuntu at kitterman.com
Sun Jan 3 23:58:21 GMT 2010
*** This bug is a security vulnerability ***
Public security bug reported:
kde4libs (4:4.2.2-0ubuntu5.4) jaunty-security; urgency=low
[ Jamie Strandboge ]
* SECURITY UPDATE: fix buffer overflow when converting string to float
- debian/patches/CVE-2009-0689.diff: adjust Kmax to handle large field
numbers in kjs/dtoa.cpp
- CVE-2009-0689
[ Jonathan Riddell ]
* SECURITY UPDATE: uncontrolled XMLHTTPRequest vulnerability
- Ark and KMail performs insufficient validation which leads to
specially crafted archive files, using unknown MIME types, to be
rendered using a KHTML instance, this can trigger uncontrolled
XMLHTTPRequests to remote sites
- Add debian/patches/security_02_XMLHttpRequest_vulnerability.diff,
restricts xmlhttprequest to http protocols only
- http://www.kde.org/info/security/advisory-20091027-1.txt
- oCert: #2009-015 http://www.ocert.org/advisories/ocert-2009-015.html
- CVE-2009-XXXX
-- Jamie Strandboge < jamie at ubuntu.com> Mon, 07 Dec 2009 15:25:55 -0600
Show details 4:4.3.85-0ubuntu2 release (main) 12 days ago
The Karmic Koala (current stable release)
KDE Base trunk series 8894 Delete Link
Show details 4:4.3.2-0ubuntu4 release (main) ten weeks ago
Show details 4:4.3.2-0ubuntu4.1 updates, security (main) three weeks ago
The Jaunty Jackalope (supported)
KDE Base trunk series 7689 Delete Link
Show details 4:4.2.2-0ubuntu1.1 updates, security (main) three weeks ago
Publishing details
Published on 2009-12-11
Copied from ubuntu jaunty in Private PPA for Ubuntu Security Team
Changelog
kdebase-runtime (4:4.2.2-0ubuntu1.1) jaunty-security; urgency=low
* SECURITY UPDATE: IO Slaves input sanitization errors
- KDE protocol handlers perform insufficient input validation, an
attacker can craft malicious URI that would trigger JavaScript
execution. Additionally the 'help://' protocol handler suffer from
directory traversal. It should be noted that the scope of this
issue is limited as the malicious URIs cannot be embedded in
Internet hosted content.
- Add security_01_info_kio_no_javascript.diff, stops javascript
within info kio slave
- http://www.kde.org/info/security/advisory-20091027-1.txt
- oCert: #2009-015 http://www.ocert.org/advisories/ocert-2009-015.html
- CVE-2009-XXXX
-- Jonathan Riddell < jriddell at ubuntu.com> Mon, 07 Dec 2009 17:59:21 +0000
** Affects: jaunty-backports
Importance: Undecided
Status: New
** This bug has been flagged as a security vulnerability
--
Security Updates needed for kde4libs and kdebase-runtime in jaunty-backports
https://bugs.launchpad.net/bugs/502761
You received this bug notification because you are a member of Ubuntu
Backporters, which is the registrant for Jaunty Jackalope Backports.
More information about the ubuntu-backports
mailing list